Suggested answers to discussion questions

Complexity (types of characters allowed)

Download 0.51 Mb. Page 15/19 Date 30.09.2021 Size 0.51 Mb. #57433

Navigate this page:

• 8.8 The chapter briefly discussed the following three common attacks against applications

Complexity (types of characters allowed) Number of characters Length Number of possible passwords Numeric 10 (0-9) 4 104 = 10,000 Alphabetic, not case sensitive 26 (a-z) 8 268 = 2.088+E11 Alphabetic, case sensitive 52 (a-z, A-Z) 8 528 = 5.346+E13 Alphanumeric, case sensitive 62 (0-9, a-z, A-Z) 8 628 = 2.183+E14 Alphanumeric, case sensitive, 12 6212 = 3.226+E21 Alphanumeric, case sensitive, plus special characters 95 (0-9, a-z, A-Z, and $, !, #, etc.) 8 958 = 6.634+E15 Alphanumeric, case sensitive, plus special characters 95 (0-9, a-z, A-Z, and $, !, #, etc.) 12 9512 = 5.404+E23 b. Complexity requirements (which types of characters are required to be used: numbers, alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) - interacts with complexity to determine how hard it is to “guess” a password or discover it by trial-and-error testing of every combination. c. Maximum password age (how often password must be changed) – shorter means more frequent changes which increases security d. Minimum password age (how long a password must be used before it can be changed) – this combined with history prevents someone from just keeping their same password, because it prevents repeatedly changing passwords until the system allows use of the same password once again. e. Maintenance of password history (how many prior passwords does system remember to prevent reselection of the same password when required to change passwords) – the larger this is, the longer the time before someone can reuse a password. For example, a password history of 12 combined with a minimum age of 1 month means that the same password cannot be used until after a year. Note that this requires setting a minimum age. Otherwise, if the minimum age is zero, someone could repeatedly change their password as many times as the system’s history setting, and then change it one more time, this last time setting it to be the current password. f. Account lockout threshold (how many failed login attempts before the account is locked) – this is designed to stop guessing attacks. However, it needs to account for typos, accidentally hitting the CAPS LOCK key, etc. to prevent locking out legitimate users. Its effect also depends on the next variable, time frame. g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold is five failed login attempts, time frame is whether those 5 failures must occur within 15 minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess. h. Account lockout duration (how long the account remains locked after exceeding the maximum allowable number of failed login attempts) – longer lockouts defeat attempts to guess. Too short a value on this parameter may enable an attacker to try to guess x times, get locked out for only a few minutes, and then start guessing again. 8.8 The chapter briefly discussed the following three common attacks against applications Download 0.51 Mb. Share with your friends: